The Cyber Jack Podcast: A Military Mind's Approach to Security Operations - Tom Gorup, Alert Logic

There's a global talent shortage in cybersecurity. So when we hear about an Army veteran's success in security story, we get excited. Tom Gorup, VP of Security Operations at MDR provider Alert Logic, dives into the OCOKA military strategy and how he's applied what he learned from his deployments in Iraq and Afghanistan to his leadership role in security operations. He also provides advice for veterans looking to get into cybersecurity. All this and more on The Cyber Jack Podcast.

[automated translation for accessibility and reading lesuire]


Jack 00:04

Today, Tom Gorup, Vice President of Security Operations at Alert Logic joins us to talk about how veterans can thrive in cyber and the power of the OCOKA military strategy. All this and more on The Cyber Jack Podcast.

Tom, thanks so much for joining us today, we're looking forward to talking about some really interesting topics. To give our audience some background, can you tell us how you came to run security operations at Alert Logic and what you're doing in your role today?

Tom Gorup 00:41

Sure, yeah. Prior to Alert Logic, I was at a company called Rook Security. I started out there as -- showing up there to be an intern -- that was my objective. Early on, I had just recently gotten out of the Army, going to school looking to get into information security, and work security was looking for security analysts. I applied and you know, I was just asking, Hey, can I get in and on an internship went in for the interview, and they ended up hiring me full time. And from there, kind of worked my way up in to a team lead position into more of a manager position. And the team was small. When I started in the SOC, specifically, there was two of us and an intern, an actual intern. And from there, I grew the SOC into 24x7 security operations center, we had up to I think, 18, 19 people, and, you know, delivering security operation services for Fortune 500 companies, which was awesome, a lot of fun to be able to build and grow a team like that, but also a set of services around it. So eventually, I became co-founder, because really, the SOC didn't quite exist until it until I was able to grow it to where it became. And then from there, sold to Sophos, and I came over to Alert Logic to run the security operations center here. So that's what I do every day – is really look for opportunities to improve our services, to keep pushing the limits of what we can deliver to our customers. And ultimately, really, to simplify security, because it is a complex space. And most businesses out there don't really have the in-house expertise to, to do good job at it. And so that's what we're here for is to help businesses secure themselves.

Jack 02:42

That's great. And I know you also have a background in the military. Can you tell us about your experience in the army and how your time in the military prepared you for an in-house cybersecurity role?

Tom Gorup 02:54

Yeah. So, it's a lot different in some ways and similar in others. So I joined the Army as an infantryman served in Iraq and Afghanistan, Iraq in ’06 and ’07, and Afghanistan 2010-2011. Didn't do anything technical? Well, while I was in the military, as it was very much grunt work frontlines, there were actually two documentaries of my time in Afghanistan or my unit’s time in Afghanistan. One is the hornet's nest, and the other is no greater love. That was actually one of the first documentaries built by I think an active-duty soldier or Chaplain had done No Greater Love, an amazing, amazing film. But throughout that time, there's a lot of tactics that I found once, I guess, rewinding a little bit. So when I remember being in Afghanistan, I knew I was going to get out of the military.

But I didn't know quite what I was going to do. And knew I always had a passion for technology. I found it fascinating that you could speak to someone on the other side of the world. And those messages are sent and received in milliseconds. I thought that was amazing. So, digging into networking made sense. So, I bought the CCNA study guide. And if you're familiar with that, it's a really thick, thick book, written by Todd Lambley remember reading the first three or four chapters over and over again, on my bunk in Afghanistan, because I didn't have a lab or any place to do these things in.

And none of it made sense. And then I finally got to the security section, and everything started clicking. It's like, Oh, that makes sense. And after a while, I realized that there was this connection, obviously, between physical security and digital security, that what I really had to do was learn my tools. It was less about the tactics and techniques in securing this infrastructure. Rather, it's learning what tools can I use to secure this infrastructure? I'm no longer using machine guns and claymores anymore, I'm using firewalls and antivirus. So that allowed me to make those connections more and more often and start learning. Okay, what are the offensive tools and, and become focused in those areas? So one of the great tactics that we use was OCOKA. It's Observation of Field of Fire, cover and concealment, obstacles, key terrain and avenues approach. That's how we secured battle positions. We applied, you know, effectively ask questions. So you get the Threat Modeling against the position that you're trying to defend. You figure out how what is the best method of which I can defend this position, same thing we can do when looking at computer networks, I'm looking at what I can see, I'm looking at how I can defend and protect data, and what avenues or approach an enemy might come in to take that data. So that was a big part of it, making the connection and obviously, the discipline, the leadership, the perspective of the world that came with being in, you know, Iraq and Afghanistan, living that life, for a long time also had, you know, a significant impact on you know, my perspective of the world attitude and work ethic.

Jack 06:26

Definitely, those sound like really transferable skills. So double-clicking real quick on OCOKA, how did you relate that from military to cyber strategy? And what made you decide to implement that strategy into your current role with alert logic?

Tom Gorup 06:43

So even thinking about OCOKA it can, it can still be kind of complex, I was trying to find ways to break things down to its most simplest form to make it easy to explain. But when I was going through that process, I got to work on visibility, exposures and threats, which I'll kind of talk to in a second. But coca is great down again, it's an observation and Field of Fire. The first thing is, what can I see? When I look outside of my battle position and look left to right, I look how far out how close? What can I see my observation of Field of Fire? And is there overlapping sectors of fire? So if you think about points of Ingress, or egress or we think about how networks VLANs how they're traversing a switch, you start to contemplate that observation and feel the fire. What can I see? Covering concealment? We start thinking about layered defense, how can we protect our crown Crown Jewels, the same thing applies with the Forward Operating Base or even a small hasty battle position, as I'm trying to secure that position in are there things in there I need to protect? Right, our medic are to certain people that we want to keep in the center to ensure that we can keep the battlefield moving. Up skulls covering concealment? Or excuse me, obstacles. Next one. So obstacles, are there things in my way, or other things in the enemies way? In preventing me from securing the base for them from attacking the base? And can I document those? These days? Those could be business problems. There could be technical limitations, there are a number of obstacles that stand in our way. key terrain, as I mentioned before, what is that thing I'm trying to protect? And finally, avenues approach. If I were to be attacked, right now, think about Threat Modeling. How would that come to me? How would an attacker come at me. So you can directly apply coca, not only to secure in a 40, or excuse me a battle position, or a fob for an operating base, but also a computer network. But again, you have to learn your tools. It's not directly applicable, but it's a lot easier to learn about a tool than it is sometimes to learn about a tactic and how to directly apply it. So from there, again, oh, coca can still be complicated in talking about so even abstract it a little bit more. What it really comes down to is visibility, exposures, and threats. What's interesting I find about the digital spaces can be attacked on a regular basis. And it's kind of okay, I can gain visibility about it, but I can learn about those attacks getting attacked. When you're in Iraq or Afghanistan that has obviously real world consequences. You want to limit even the opportunity for an attack. But in the digital space, these attacks are happening all the time. And you're able to learn from them. So your threats, what you're seeing on a day to day basis are useful. Same with your exposures. It's not as easy in the battlefield to just scan your perimeter to find out where you're exposed where you're vulnerable. In the digital space, we have that ability. So you actually have a lot more capability to harden yourself to learn more about yourself in the digital world, and you do in the physical space,

Jack 10:21

That makes sense. There are definitely a ton of parallel concepts from the military that could be applied to cyber, for those in the military looking to find a similar career path to yours. What kind of advice would you give them?

Tom Gorup 10:36

Find those connections. That made the big difference for me was realizing that there are things that I learned in the military that I'll never use again, for example, walking on grass, you're allowed to do that, you don't need to worry about that anymore. So you can throw that one out. Then there are things that are hard, transferable, like leadership skills, the confidence that you get the, the values that the military's instilled on you, these are things that you can carry with you, that are directly tangible. Excuse me. And then there are things that you have to find you have to seek out how they connect where they're transferable. As I mentioned before, the Oh, coca is an easy, low-hanging fruit. Learning how that connected in a digital space, from the physical world made a huge difference. Now I could take almost 80% of what I learned in the military and directly apply it to the real world. So take the time to think about how did what I did in the military helped me helped shape to where I want to be. So if it's IT security, and that's the direction, you can do it as an infantryman. I was an infantry. So you can do it, it's creating those connections in it really putting your head down and applying the same work ethic that you did, while deployed while in the field and just do it sit at a computer?

Jack 12:09

Yeah, there seems like multiple paths for military veterans in cyber, and we could sure use the help with the talent shortage going on. So final question, with a military mindset. What advice would you give CISOs, or organizations looking to secure their most valuable data and assets in this age of advanced threats.

Tom Gorup 12:31

So advice for CISOs, or businesses trying to protect themselves, the biggest thing to focus on always visibility, super important, it's critical, you can't protect what you can't see. At the same time, we also need to make sure that we're we're taking a threat modeling approach, and it doesn't need to be super heavy, we don't need to dig into the full Threat Modeling concept, we can look at it from even again, I love simplicity, a simplified version of the kill chain, think about left, boom, boom, right? Boom. So on the left, boom, there's reconnaissance people are trying to figure out how to break into the business. And when boom, happens, it's bad. But can we detect and manage it right? A boom is a big part of it, empty zero-day vulnerabilities, happens all the time log for j is you know, top of mind, we need to be able to detect right a boom, we need to have that breadth in depth. So it is the takeaway there is you know, visibility is critical. We need to have breadth and depth in our technology to not just detect when somebody is kind of knocking on a door checking all the locks. And not always are we going to see the zero day attacks. They're brand new, nobody knows about them. But post compromised activity, the tactics, techniques, and procedures that attackers use, which is kind of built on the kill chain. Right? They're detectable. And we see it all the time. SolarWinds is another great example. How did Microsoft and Mandiant pick up on this because they have controls in place to detect post compromise activity. So you can throw all the zero days you want. If you have good controls good visibility. On the right of boom, you'll still successfully pick up even the most advanced attackers. So visibility is critical and having a breadth and depth detection will go a long way.

Jack 14:37

There it is. Tom, thank you so much for coming on the show. Really appreciate your background and unique perspective on cyber. To all of our listeners, we’ll see you next time.


###